AWS Security ChangesHomeSearch

AWS dms medium security documentation change

Service: dms · 2025-06-28 · Security-related medium

File: dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md

Summary

Added detailed step-by-step instructions for configuring IAM authentication for Amazon RDS endpoints, including IAM role creation with specific policies and trust relationships

Security assessment

The change documents IAM authentication configuration which is a security feature controlling database access. It explicitly shows how to create minimal privilege policies (rds-db:connect) and service trust relationships, directly impacting access control security.

Diff

diff --git a/dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md b/dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md
index da9ac0f60..93e9be8fa 100644
--- a//dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md
+++ b//dms/latest/userguide/CHAP_Endpoints.Creating.IAMRDS.md
@@ -17 +17,48 @@ When creating an endpoint you can configure IAM authentication for your Amazon R
-### AWS CLI
+  1. Ensure the Amazon RDS and the database user has IAM authentication enabled. For more information, see [Enabling and disabling IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html) in the _Amazon Relational Database Service user guide_. 
+
+  2. Navigate to the IAM Console, create an IAM role with the below policies:
+
+Policy
+    
+        {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "VisualEditor0",
+                "Effect": "Allow",
+                "Action": [
+                    "rds-db:connect"
+                    ],
+                "Resource": [
+                    "arn:aws:rds-db:<region>:<account-id>:dbuser:<db-identifier>/<username>"
+                    ]
+            }
+        ]
+    }
+
+Trust policy:
+    
+        {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "dms.amazonaws.com"
+                    ]
+                },
+                "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+
+  3. During the endpoint configuration in the [[AWS DMS console]()](https://console.aws.amazon.com/dms/v2), navigate to the **Access to endpoint database** section and select **IAM authentication**.
+
+  4. In the **IAM role for RDS database authentication** dropdown menu, select the IAM role with appropriate permissions to access the database.
+
+For more information, see [Creating source and target endpoints](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Endpoints.Creating.html).
+
+
+